ci: fix conditional skip and add safeguard

Adopt a third-party action to avoid script bugs, and to fix a current issue where the script fails to detect all changes when processing push events on PR branches.
hashicorp · Sep 24, 2024 · 135c745 · 135c745
1 parent 5e3b6e9
commit 135c745
Show file tree

Hide file tree

Showing 5 changed files with 65 additions and 60 deletions.
diff --git a/.github/scripts/check_skip_ci.sh b/.github/scripts/check_skip_ci.sh
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,15 +1,23 @@
 name: build
 
-# We now default to running this workflow on every push to every branch.
+# We now default to running this workflow on every pull_request push
+# in addition to protected branch push.
+#
 # This provides fast feedback when build issues occur, so they can be
-# fixed prior to being merged to the main branch.
+# fixed prior to being merged.
 #
 # If you want to opt out of this, and only run the build on certain branches
 # please refer to the documentation on branch filtering here:
 #
 #   https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpushbranchestagsbranches-ignoretags-ignore
 #
-on: [workflow_dispatch, push]
+on:
+  push:
+    branches:
+      - main
+      - release/**
+  pull_request:
+  workflow_dispatch:
 
 env:
   PKG_NAME: "consul-dataplane"

diff --git a/.github/workflows/consul-dataplane-checks.yaml b/.github/workflows/consul-dataplane-checks.yaml
@@ -3,8 +3,8 @@ name: consul-dataplane-checks
 on:
   push:
     branches:
-    - main
-    - 'release/*.*.x'
+      - main
+      - release/**
   pull_request:
 
 jobs:

diff --git a/.github/workflows/reusable-conditional-skip.yml b/.github/workflows/reusable-conditional-skip.yml
@@ -12,13 +12,55 @@ jobs:
     runs-on: ubuntu-latest
     name: Check whether to skip build and tests
     outputs:
-      skip-ci: ${{ steps.check-changed-files.outputs.skip-ci }}
-    env:
-      SKIP_CHECK_BRANCH: ${{ github.head_ref || github.ref_name }}
+      skip-ci: ${{ steps.maybe-skip-ci.outputs.skip-ci }}
     steps:
+      # We only allow use of conditional skip in two scenarios:
+      #   1. PRs
+      #   2. Pushes (merges) to protected branches (`main`, `release/**`)
+      #
+      # The second scenario is the only place we can be sure that checking just the
+      # latest change on the branch is sufficient. In PRs, we need to check _all_ commits.
+      # The ability to do this is ultimately determined by the triggers of the calling
+      # workflow, since `base_ref` (the target branch of a PR) is only available in
+      # `pull_request` events, not `push`.
+      - name: Error if conditional check is not allowed
+        if: ${{ !github.base_ref && !github.ref_protected }}
+        run: |
+          echo "Conditional skip requires a PR event with 'base_ref' or 'push' to a protected branch."
+          echo "github.base_ref: ${{ github.base_ref }}"
+          echo "github.ref_protected: ${{ github.ref_protected }}"
+          echo "github.ref_name: ${{ github.ref_name }}"
+          echo "Check the triggers of the calling workflow to ensure that these requirements are met."
+          exit 1
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           fetch-depth: 0
-      - name: Check changed files
-        id: check-changed-files
-        run: ./.github/scripts/check_skip_ci.sh
+      - name: Check for skippable file changes
+        id: changed-files
+        uses: tj-actions/changed-files@v45
+        with:
+          # This is a multi-line YAML string with one match pattern per line.
+          # Do not use quotes around values, as it's not supported.
+          # See https://github.com/tj-actions/changed-files/blob/main/README.md#inputs-%EF%B8%8F
+          # for usage, options, and more details on match syntax.
+          files: |
+            .github/workflows/reusable-conditional-skip.yml
+            **.md
+            _doc/**
+            .changelog/**
+      - name: Print changed files
+        env:
+          SKIPPABLE_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
+          NON_SKIPPABLE_FILES: ${{ steps.changed-files.outputs.other_changed_files }}
+        run: |
+          echo "Skippable changed files:"
+          for file in ${SKIPPABLE_CHANGED_FILES}; do echo "  $file"; done
+          echo
+          echo "Non-skippable files:"
+          for file in ${NON_SKIPPABLE_FILES}; do echo "  $file"; done
+      - name: Skip tests and build if only skippable files changed
+        id: maybe-skip-ci
+        if: ${{ steps.changed-files.outputs.only_changed == 'true' }}
+        run: |
+          echo "Skipping tests and build because only skippable files changed"
+          echo "skip-ci=true" >> $GITHUB_OUTPUT
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -1,3 +1,5 @@
+# This job runs a non-blocking informational security scan on the repository.
+# For release-blocking security scans, see .release/security-scan.hcl.
 name: Security Scan
 
 on:
@@ -9,6 +11,8 @@ on:
     branches:
       - main
       - release/**
+    # paths-ignore only works for non-required checks.
+    # Jobs that are required for merge must use reusable-conditional-skip.yml.
     paths-ignore:
       - '_doc/**'
       - '.changelog/**'